ES2496982T3 - Entity characterization procedure at the beginning of variations in a network traffic - Google Patents

Abstract

Entity characterization procedure at the beginning of at least one variation detected in a network traffic, the procedure comprising: - a step (E11) for determining a suitable analysis period comprising at least one suspicious time segment, containing the time segment the variation detected in traffic is suspicious, - an evaluation stage (E14-1), for an entity (ck) contributing to the network traffic, of a representative value of a traffic similarity between a part of the traffic attributable to that entity and network traffic during the appropriate analysis period, said evaluation stage being performed for a plurality of entities contributing to the network traffic, and - an identification step (E14-2), between the plurality of entities contributing to the network traffic, from a group of entities responsible for traffic variation, based on the traffic similarity values evaluated; said procedure being characterized in that said identification step comprises: - a traffic suppression operation attributable to the entity whose traffic similarity with the network traffic is stronger, the deletion operation being repeated until the traffic similarity between the filtered traffic and the overall traffic is less than a predefined threshold, the group of entities comprising the entities whose traffic has been filtered.

Description

10

fifteen

twenty

25

30

35

40

Four. Five

fifty

55

60

65

E09753148

08-28-2014

DESCRIPTION

Entity characterization procedure at the beginning of variations in a network traffic

The present invention relates to a method of characterization of entities at the beginning of at least one variation in a network traffic.

The invention is in the field of telecommunications networks. Find a particularly interesting application in the security of a computer network, and particularly in the identification of a set of compromised machines, controlled by the same malicious user (the term commonly used to designate this set of machines is "botnet"). A botnet can regroup several thousand machines, called zombie machines, that are infected by a nefarious program installed on the machine behind the back of a legitimate user. The nefarious program allows the malicious user to operate the botnet machines from a control machine. A botnet is used for example to perpetrate malicious actions against other machines, to do illegal trade, or to earn money dishonestly.

Botnet-type networks have evolved over time. Several procedures for identifying botnet machines are known. For example, the article Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic, R. Villamarin and JC. Brustoloni, published in the Proceedings IEEE CCNC 2008, proposes a procedure to identify command and control servers of a botnet type network. This procedure is based on an analysis of DNS requests (from Domaine Name Service). A first way of carrying out the procedure is to look for the rates of requests with abnormally high particular domain names. A second way of carrying out the procedure is to search for recurring requests with domain names that do not exist. These methods are adapted to cases in which all clients try to access the same server and make DNS requests related to the same domain name.

The patent application published under EP 1906620 discloses a method to detect compromised clients that constitute a botnet. At first, the procedure identifies suspicious clients, for example clients that perform vulnerability scanners, and then precisely analyzes the traffic of these clients in order to identify other suspicious activities, such as a connection to a specific server such as a instant messaging server. In this case, the customer is marked as potentially part of a group of machines. An analysis and a comparison of all the data harvested in the suspicious clients allows to identify groups of machines connected to the same server, each of the members of the group being identified as part of a botnet. However, the procedure is based on the hypothesis that all suspicious clients in a group access the same server and therefore use the same channel.

Now, botnet networks evolve. Thus, zombie machine networks are currently appearing, which constitute a botnet, which are organized into “P2P” (peer-to-peer) networks. It becomes difficult then to identify a channel used for botnet zombie machines. It turns out that the aforementioned methods are totally misfit to identify the botnet zombie machines.

One of the objects of the invention is to remedy inadequacies of the state of the art. The invention responds to this need by proposing a feature characterization procedure at the beginning of at least one variation detected in a network traffic, said method being defined according to claim 1.

The invention offers a technique that identifies the origin of behaviors in the network that cause strong variations in network traffic with respect to a traffic, called normal, usually observed.

The method according to the invention allows analyzing network behaviors by analyzing the IP entities of the packets that constitute the traffic. The procedure identifies through a visibly abnormal macroscopic behavior, a list of clients that have the same abnormal behavior. Thus, the clients on the list seem to all have similar behavior, for example, an awakening phase in the course of which everything is set at approximately the same time as the traffic is emitted, and a numbing phase in the course of the which all stops approximately simultaneously to emit traffic.

Therefore, when global traffic to a particular server is available, it is easy to observe macroscopic behavior that deviates from normal behavior, therefore it is difficult to identify the origin of such behavior that is diverted by a plurality of machines. The method according to the invention remedies this problem by characterizing all the machines correlated to this deviant behavior, that is, they have a behavior similar to the deviating behavior.

In an embodiment of the invention, the step of identifying the group of entities comprises:

-a stage of classification of the plurality of entities (ck) that contributes to network traffic in an ordered set, according to a predefined order of traffic similarity (sk),

10

fifteen

twenty

25

30

35

40

Four. Five

fifty

55

60

65

E09753148

08-28-2014

-a stage of selection of x consecutive entities in the ordered set in order to form said group, the traffic similarity value (cov (C x → P)) between the accumulated traffic attributable to the remaining entities (sx + 1, …, Sp) of the ordered set and the network traffic being less than a predefined threshold.

Observing the traffic in a macroscopic manner, one difficulty is to better identify the entities responsible for macroscopic variations in traffic. In order to identify a group of x suspicious clients, a filtering of the observed global traffic is carried out by repeating for a plurality of clients a suppression operation of a traffic attributable to a client. With each iteration, it is the customer traffic whose covariance with global traffic is the strongest that is suppressed. The suppression operation of a client traffic is repeated until a covariance is obtained between the filtered traffic and the global traffic below a predefined threshold. Thus, for each of the entities P that contribute to the global traffic, the covariance of the entity's traffic with the global traffic is calculated, the entities s1, ..., sp being then classified by decreasing covariances. It also defines an accumulated covariance, cov (Cu → v), with u <v, as the covariance between the traffic generated by customers s indexes between u and v, and global traffic. The procedure then identifies the number x of customers most involved in the macroscopic variation of the global traffic by identifying the index x of the entity from which the covariance accumulated cov (Cx → p) ≤0. The traffic of the entities of index x to P no longer presenting correlation with the global traffic, while the entities x of indexes 1 to x are those that present the strongest correlation with the global traffic.

In an embodiment of the invention, the step of determining a suitable analysis period comprises:

-a stage of selecting an area of (m) consecutive past hourly sections,

-if the number of suspicious sections in that zone is lower than a predefined (p) rate, while a selection of a new zone comprises the most recent past (m-1) time sections, and

-if the number of suspicious tranches in said zone is greater than or equal to said rate, while the appropriate analysis period is equal to said zone.

Advantageously, the procedure makes it possible to determine an optimal suitable analysis period.

With the method according to the invention, the entity (ck) contributing to the global traffic is identified by means of a criterion (c), said criterion being a field of an IP packet issued by said entity belonging to the group comprising: IP address source, source port, DNS request.

Several criteria are used in order to characterize macroscopic variations in a network traffic. Typically, any field of an IP packet can be used. The process according to the invention nonetheless retains several relevant fields. Thus, the source IP address, used as a criterion by the method according to the invention, allows identifying any of the machines at the beginning of macroscopic variations in traffic. In case of a massive attack of a server whose traffic is observed by a plurality of machines organized in botnet, then the procedure according to the invention allows identifying the machines that constitute this network of zombie machines.

In addition to the identification of machines at the beginning of macroscopic variations in the network, the procedure is adapted to explain the origin of macroscopic variations. Thus, a possible criterion corresponds to an issue contained in a DNS request. Using this criterion, it is then possible to identify a failure of a server associated with a specific domain name. In fact, if the machines are registered with this server, a failure of the server will lead to a registration of these machines with the server. To do so, the previously registered machines will issue DNS requests with the DNS servers to retrieve the IP address of the server next to which they wish to register. These simultaneous emissions of DNS requests cause a visible macroscopic variation of the DNS request traffic.

Another interesting criterion retained by the method according to the invention is the source port. In the case of a denial of service attack, this field can identify an attack signature. Indeed, during the automated mass attack, which involves sending a large number of requests to the same server, it is rare that all fields of the IP packets sent automatically are random. The source port is part of these often non-random fields.

The invention also relates to a traffic characterization device adapted to characterize entities at the beginning of at least one variation detected in a network traffic, at least one variation greater than a predetermined value being detected in said traffic, said device being defined according to claim 5.

The invention also concerns a computer program on a data carrier and loadable in the internal memory of a computer, the program comprising portions of code for the execution of the steps of the process according to the invention, when the program is executed on said computer .

fifteen

25

35

Four. Five

55

65

E09753148

08-28-2014

The invention also relates to a data carrier in which the computer program according to the invention is registered.

Other features and advantages of the present invention will be better understood from the description and the accompanying drawings among which:

FIG. 1 represents the steps of the entity characterization procedure at the beginning of variations in a network traffic, according to a particular embodiment of the invention;

- Figure 2 represents an example of a detailed embodiment of the stages of continuous traffic observation and determination of a suitable analysis period of the entity characterization procedure according to Figure 1;

-Figure 3 is a graph of observed network traffic that shows significant variations, and which can make the object of an analysis according to the method of the invention;

- Figures 4a, 4b and 4c are graphs that show customer traffic whose covariance with total traffic is representative;

-Figure 5 is an example of architecture that starts the process according to the invention.

The steps of the feature characterization procedure at the beginning of significant variations with respect to a traffic usually observed in a network traffic according to an embodiment of the invention will now be described in relation to Figure 1.

In an initial stage E10 of continuous observation of a global network traffic to a server not represented, N_max time sections of duration T corresponding to an initial period of traffic observation are identified, n_susp time sections of suspicious duration T during which they observe macroscopic behavioral variations of global traffic. An example of such variations is illustrated by the curve according to Figure 3. The overall traffic corresponds to the traffic entering for this server, that is, the traffic received by this server that comes from a plurality of sources.

In this example of embodiment described here, the identification of n_susp suspicious time segments consists in identifying a strong variation of traffic between two successive time sections Ti-1 and Ti of duration T, which passes a predefined value. The variation corresponds to both an increase in traffic and a decrease. In this case, the Ti-1 and Ti time segments are labeled as suspects.

At the end of stage 10, and followed by the identification of n_susp suspicious time sections between N_max initial observation time frames of the global traffic to the server, it is convenient to carry out an accurate traffic analysis to analyze the origins of the macroscopic variations observed in the global traffic

In an E11 step of determining an appropriate analysis period, an appropriate analysis period and the traffic corresponding to this period are determined. The appropriate analysis period is generally smaller than the initial observation period and richer in information relative to traffic variations, to allow an accurate analysis of macroscopic traffic variation. To this end, the appropriate analysis period is evaluated as being a number m of successive time sections of duration T between the initial observation N_max comprising at least one p rate of suspicious sections. The p-rate used allows to specify a more important weight in the suspicious sections. Usually, the p rate of suspicious tranches is between 30% and 70%. For example, a 50% rate allows obtaining an adequate analysis period that comprises at least 50% of suspicious time zones.

A variant embodiment of the observation steps E10 continues, and E11 for determining a suitable analysis period will be described later in relation to Figure 2.

Once the appropriate analysis period has been determined, a cut of the global traffic observed during the analysis period is carried out in an E12 cut-off stage, adapting in n hours of analysis of duration t. The duration t is different from the duration T of the initial observation time zones and generally smaller than T in order to have a large number of information. The more the number n of time sections of analysis t is important, in addition there will be information per section t of time, however heavier the analysis will be. For example, the appropriate analysis period can be cut by 100 time periods of analysis.

In a step E13 of criterion choice, a criterion c is selected to perform the analysis in order to explain the variation detected in the network traffic. Criterion c is a field between the fields of an IP packet of network traffic. In the embodiment described here, the analysis criterion c is the source IP address of the packets observed in the global traffic. The ck value of the criterion represents the IP address of the client k, used as the source IP address in the packets issued by the client k. The customer k can thus be identified by the value ck of the criterion c.

fifteen

25

35

Four. Five

E09753148

08-28-2014

Other examples of criteria are presented later.

It is noted that step E13 of selection of a criterion is independent of the preceding stages E11 and E12 and can be performed prior to stage E12, or to stage E11.

In a step E14 of identification of suspicious clients, a set of x suspicious clients involved in the variation detected in traffic between P clients participating in the global traffic whose behavior is strongly correlated with the macroscopic behavior observed is identified.

To this end, in a sub-stage E14-1 of evaluation of a traffic similarity between a traffic attributable to an entity and the network traffic, it is calculated for each client k that participates in the global traffic, 1≤k≤P, and identified by a ck value of criterion c, a covariance cov (ck) according to the following formula:

image 1

where rck.i represents the number of packets that meet the ck criteria and observed in the global traffic during the time zone i of duration t.rck.i is therefore the number of source IP address packets ck observed in the global traffic during the analysis schedule section i.

image2 It represents the average of the number of packages that respond to the ck criterion during the appropriate analysis period constituted by n hours of analysis, and is calculated as follows:

image3

Ri represents the volume of traffic, in terms of the number of packets, all the clients confused during the hourly analysis section and of duration t, and it is calculated as follows:

image4

R0 represents the average global traffic during the appropriate analysis period and is calculated as follows:

image5

By definition, covariance allows the evaluation of the sense of variation of two variables and, thus, qualifies the independence of these variables. In this particular case, the covariance cov (ck) calculated for the client k allows to evaluate the dependence between the resulting traffic of the client k and the global traffic. It therefore represents a traffic similarity between a portion of the traffic, attributable to the client k, and the network traffic. The more positive and high the covariance calculated for the client k, the more similar are the variations observed in the traffic resulting from the client k to those observed in the global traffic.

More precisely, the covariance cov (ck) associated with a client k is as large as the intervals between the instantaneous behaviors of the client k with respect to its behavioral environment, and the total volume of traffic with respect to its average in the analysis period They are frequently in the same direction.

Examples of customer traffic are provided whose covariance with total traffic is representative in relation to Figures 4a, 4b and 4c.

In a sub-stage E14-2 of identification of a group of x suspicious clients, a filtering of the global traffic observed is carried out by repeating for a plurality of clients a suppression operation of a traffic attributable to a client. With each iteration, it is the customer traffic whose covariance with global traffic is the strongest that is suppressed. The suppression operation of a client traffic is repeated until a covariance is obtained between the traffic

E09753148

08-28-2014

Filtering and global traffic below a predefined threshold. In this exemplary embodiment of the invention, the predefined threshold is set to 0. The suppression operation is therefore repeated until the covariance is canceled. Thus, x clients involved in these successive deletions are identified. These clients are identified as the x suspicious clients among the P clients that participate in the observed global traffic. The principle of the E14-2 sub-stage is therefore

5 suppress the traffic of the x most suspicious clients in the global traffic until obtaining a filtered traffic free of visible variations, being a problem to distinguish the x suspicious clients from these that are not in a global traffic.

To this end, an ordered set is defined, designated C1 → P of customers of respective indices ranging from 1 to P.

10 this example of realization, the set of clients is ordered according to a decreasing order of covariance, each client being identified by its criterion value c, that is, in this particular case by its IP address. This set is indicated C1 → P = {s1, s2,…, sp), s1 representing the client that generates a client traffic that has the strongest covariance with the global traffic, and s P the client generating a client traffic that has the lowest covariance with global traffic. It is noted that for any client of index j, represented by the element sj, with 1≤j≤P, there is

15 a value ci of criterion c, which corresponds here to the IP address of this index client j, with 1≤i≤P, such as sj = ci.

An accumulated covariance, cov (Cu → v), is defined with u <v, as is the covariance between the traffic generated by the clients of indexes between u and v, and the global traffic. More precisely,

image6

It is noted that cov (C 1 → p) represents the covariance of global traffic with itself.

The objective is therefore to determine the number x of customers most involved in the variation detected in global traffic and therefore the number x of customers, such as:

image7

Clients x, designated s1 to sx, are those that generate accumulated traffic that has the strongest correlation 30 with global traffic.

In another example of embodiment of the invention, the identification of the suspicious n-susp tranches carried out in the initial stage E10 of traffic observation consists in comparing the global traffic observed in an average traffic, evaluated consecutively with a previous learning in a period of determined time. In

In general, the period of learning time corresponds to several consecutive days, which allow us to observe habitual variations at certain times of the day, or certain days of the week. Deviations from the observed global traffic above a predetermined value with respect to the average traffic allow to label time segments as suspicious.

In another embodiment of the invention, another criterion that the IP address is retained for analysis in order to explain the macroscopic variation of traffic. Thus, in step E13 of selecting a criterion, a selected criterion is the field that corresponds to the DNS request issued (from Domain Name Service), for example www.monsite.com. In this example, the analysis allows us to discover that a failure of one or more specific servers is at the beginning of the macroscopic traffic variation. In another embodiment of the invention,

The criterion is the source port of the IP packet. In this example, the analysis allows us to identify a common point among the packages that participate in the macroscopic variation. This common point is an index that can be assimilated to a signature in case of attack. Thus, the procedure according to the invention will identify entities, identified by their IP address, their source port, the DNS request, according to the chosen criteria.

An alternative embodiment of the steps E10 of continuous traffic observation, and E11 of determining an analysis period will now be described in relation to Figure 2.

In an initial monitoring stage E10-1, the traffic destined to a server 56 according to Figure 5 is observed during a single unit section of duration T.

In a detection step E10-2, a strong variation in traffic is detected between the current unit segment of duration T and the preceding unit section. The variation corresponds to either a brutal increase, either a

fifteen

25

35

Four. Five

55

65

E09753148

08-28-2014

brutal decrease in traffic to the server.

In an E11-1 step of determining an initial analysis window, an initial window of study of the observed traffic is determined which comprises the current unit segment as well as the N_max-1 hourly sections of preceding duration T. The overall traffic observed during the initial study window is provided by the traffic manifold 58 according to Figure 5. The initial study window, of duration N_Max time sections of duration T represents for example the traffic observed for a duration of 24 hours.

In a step E11-2 of parameterization of the analysis window, a weighting factor p is taken into account that requires a minimum rate of suspicious sections that you wish to find in the analysis window. For example, a 50% rate of suspicious tranches is desired. Then the number of suspicious sections of traffic observed during the initial study window of duration N_max hourly sections is evaluated.

In an E11-3 step of adjusting the size of the advantage, while the rate of suspicious tranches in the current analysis window is lower than the desired rate corresponding to the weighting factor p, then the size of the current analysis window is decremented of 1 in terms of number of hourly sections, the oldest hourly section being the section that is removed before re-executing step E11-3 of adjustment to the size of the window.

In a final step E11-4, the appropriate analysis window is determined; corresponds to the current analysis window obtained after as many executions of the adjustment step E11-3 as necessary. Past time sections are constituted and comprise a rate of at least suspicious tranches of duration T.

Advantageously, the determination of the appropriate analysis window allows to better adjust the traffic to be analyzed. Thus, the appropriate analysis window may comprise several macroscopic successive traffic variations that make a positive variation of the observed traffic appear at first, then a negative traffic variation at a second time. The positive variation indicates a massive increase in traffic, which can be associated with a massive sending of requests from a set of machines, and the negative variation a massive decrease, sign of a simultaneous stop of the sending of requests. Such observation is revealing of an attack, and the appropriate analysis period comprises at least the positive variation and the negative variation of the traffic. In another case of a figure in which specific and regular variations, for example daily, are observed, an adequate analysis period of several days, even one week is adapted.

Figure 3 is a layer illustrating an observed traffic destined for a server not represented. In the curve according to figure 3, it is observed that between 20.50 and 21.00, the observed traffic has fallen brutally. Likewise, it has grown brutally a little before 9:20 p.m., until 9:40 p.m.

Examples that illustrate traffic from taxpayers whose covariance with total traffic is representative in relation to Figures 4a, 4b and 4c will now be described.

Figure 4a is a curve representing the total traffic destined for a server not represented for which a cut has already been made according to an appropriate analysis period. The analysis period has been cut here in 400 sections. Significant macroscopic traffic variations are indicated in sections between 150 and 200, and between 240 and 300.

Figure 4b is a curve that represents the traffic of a customer whose covariance with total traffic is strong. The covariance calculated for this client is positive. A similarity of the client's behavior with the global traffic is signaled: the client ceases to issue packets in a section close to 150, and reissues packets again in a section close to 250.

In short, Figure 4c is a curve that represents the traffic of a customer whose covariance with the traffic is weak. The covariance calculated for this client is negative. A completely different behavior is pointed out in relation to global traffic: the client continuously issues packets between sections 100 and 350.

An example of a network architecture in which a server capable of implementing the method according to the invention is now going to be described in relation to Figure 5.

In a network 50, for example, the Internet network, a plurality of clients 51, 52, 53, 54 of which only four are represented in Figure 5 emit a traffic constituted of IP packets towards an S 56 server. Traffic bound for server 56 transits through a network device 55, for example, a router, geographically close to server 56. Router 55 sees global traffic traveling to server 56.

An anomaly detector 57 in a network traffic is adapted to monitor all the traffic that passes through the router 55 through a mirroring mechanism (the term commonly used is the English term mirroring), to transmit to a traffic manifold 58 the totality of the monitored traffic and to detect an anomaly in the traffic destined to the server 56. The anomaly corresponds to a variation of the traffic in terms of number of packets, superior to a determined value. The detector 57 of anomalies in a traffic is also adapted to inform a device 59 of

E09753148

08-28-2014

traffic characterization according to a particular embodiment of the invention of the detection of an anomaly in the observed traffic.

The traffic manifold 58 is adapted to store in a memory not shown, one or more journals (the term 5 currently used is the term log) that contains all the information pertinent to the observed traffic, such as the IP packets that constitute the traffic, Temporary stamps of these packages.

In the embodiment of the invention described herein, the traffic characterization device 59 is a computer server comprising classic modules such as:

10-network interfaces (not shown) adapted to communicate with the detector 57 of anomalies in a traffic, the traffic manifold 58;

-a man-machine interface (not shown), such as a console, adapted to present to a human operator 15 results of a characterization of entities at the beginning of macroscopic variations in a network, according to the invention;

-a microprocessor (not shown), or CPU that is a processing unit;

20 -a treatment memory (not shown) adapted to perform calculations, load program instructions corresponding to the steps of the characterization procedure according to the invention described above, and to be executed by the microprocessor.

For the implementation of the method according to the invention, the traffic characterization device 59 further comprises the following modules:

-a module 59-1 for determining a suitable analysis period, said period comprising at least the suspicious time segment corresponding to the variation detected in traffic by the detector 57 of anomalies in a traffic,

30 - an evaluation module 59-2, arranged to evaluate for each entity ck, 1≤k≤P, which contributes to the network traffic, a traffic similarity between a part of the traffic attributable to said entity and the global traffic. In the exemplary embodiment described here, the evaluation module evaluates a covariance cov (ck) between the part of the traffic associated with said entity and the network traffic during the appropriate analysis period, and

35 -a 59-3 identification module, adapted to identify among the plurality of entities that contribute to network traffic, a group of entities responsible for the variation detected in the network, based on the traffic similarity values evaluated by the evaluation module 59-2. To this end, the identification module 59-3 is arranged to classify the plurality of entities (ck) that contributes to the network traffic in an ordered set,

40 according to a predefined order of traffic similarity (sk), and to select x consecutive entities in the ordered set in order to form said group, the traffic similarity value (cov (Cx → P)) between the attributable accumulated traffic to the remaining entities (sx + 1,…, sP) of the ordered set and the network traffic being less than a predefined threshold. In this embodiment of the invention, the predefined threshold is set to 0.

The modules described above are connected to the microprocessor through a communication bus.

The modules 59-1, 59-2 and 59-3 are arranged to set the steps of the characterization process according to the invention described above. These are preferably program modules comprising program instructions for executing the stages of the evaluation procedure according to

50 the invention.

The invention therefore also relates to:

- a computer program comprising instructions for the implementation of the method of characterization of entities at the beginning of macroscopic variations in traffic such as that described above, while this program is executed by a processor;

-a registration support readable by a reader in which the computer program described above is registered.

60 Program modules can be stored, or transmitted by a data carrier. This may be a material storage medium, for example a CD-ROM, a magnetic floppy disk or a hard disk, or a transmission medium such as a signal, or a telecommunications network.

Claims (5)

5 fifteen 25 35 Four. Five 55 65 E09753148 08-28-2014 1.-Entity characterization procedure at the beginning of at least one variation detected in a network traffic, the procedure comprising: -a stage (E11) for determining an appropriate analysis period comprising at least one suspicious time segment, the suspicious time segment containing the variation detected in traffic, -a stage (E14-1) of evaluation, for an entity (ck) that contributes to the network traffic, of a representative value of a traffic similarity between a part of the traffic attributable to said entity and the network traffic during the period of adequate analysis, said evaluation stage being performed for a plurality of entities contributing to the network traffic, and -a step (E14-2) of identification, among the plurality of entities contributing to network traffic, of a group of entities responsible for traffic variation, based on the traffic similarity values evaluated; said procedure being characterized in that said identification step comprises: - a traffic suppression operation attributable to the entity whose traffic similarity with the network traffic is stronger, the deletion operation being repeated until the traffic similarity between the filtered traffic and the global traffic is less than a predefined threshold, the group of entities comprising the entities whose traffic has been filtered. 2. Method according to claim 1, wherein the step (E14-2) of identification of the group of entities comprises: -a stage of classification of the plurality of entities (ck) that contribute to network traffic in an ordered set, according to a predefined order of traffic similarity (sk), -a stage of selection of x consecutive entities in the ordered set in order to form said group, the traffic similarity value (cov (C x → P)) being less than a predefined threshold among the accumulated traffic attributable to the entities Remaining (sx + 1,…, sp) of the ordered set and network traffic. 3. Method according to claim 1, wherein the step of determining a suitable analysis period comprises: -a stage of selecting an area of (m) consecutive past hourly sections, -if the number of suspicious sections in that zone is lower than a predefined (p) rate, then a selection of a new zone comprising the most recent past (m-1) time sections, and -if the number of suspicious tranches in said zone is greater than or equal to said rate, then the appropriate analysis period is equal to said zone. 4. Method according to claim 1, wherein the entity (ck) contributing to the global traffic is identified by means of a criterion, said criterion being a field of an IP packet issued by said entity belonging to the group comprising: Source IP address, source port, DNS request. 5.-Traffic characterization device (59) adapted to characterize entities at the beginning of at least one variation detected in a network traffic, at least one variation greater than a predetermined value being detected in said traffic, said device comprising: -a module (59-1) for determining an analysis period, arranged to determine an appropriate analysis period comprising at least one suspicious time segment, the suspicious time segment containing the variation detected in traffic, - an evaluation module (59-2), arranged to evaluate, for each entity (ck) that contributes to the network traffic, a representative value of a traffic similarity between a part of the traffic attributable to said entity and the network traffic during the appropriate analysis period, said module being also arranged to perform the evaluation for a plurality of entities contributing to the network traffic, and - an identification module (59-3), arranged to identify among the plurality of entities that contribute to network traffic a group of entities responsible for traffic variation, based on traffic similarity values evaluated by the module evaluation; said device being characterized in that said identification module comprises suppression means 9 E09753148 08-28-2014 of traffic, arranged to suppress the traffic attributable to the entity whose traffic similarity with the network traffic is stronger, the deletion operation being repeated until the traffic similarity between the filtered traffic and the global traffic is less than a predefined threshold , comprising the group of entities the entities whose traffic has been filtered. 6. Computer program in a data carrier and loadable in the internal memory of a computer, the program comprising portions of code for the execution of the steps of the process according to one of claims 1 to 4, when the program is executed on that computer. 10 7. Data support in which the computer program according to claim 6 is registered. 10